Add OCSP and CRL URIs to certificates

Modify the default IPA CA certificate profile to include CRL and OCSP extensions which will add URIs to IPA CRL&OCSP to published certificates. Both CRL and OCSP extensions have 2 URIs, one pointing directly to the IPA CA which published the certificate and one to a new CNAME ipa-ca.$DOMAIN which was introduced as a general CNAME pointing to all IPA replicas which have CA configured. The new CNAME is added either during new IPA server/replica/CA installation or during upgrade. https://fedorahosted.org/freeipa/ticket/3074 https://fedorahosted.org/freeipa/ticket/1431
2025-02-25 18:55:28 -06:00 · 2012-11-19 10:32:28 -05:00
parent 0d836cd6ee
commit 867f7691e9
7 changed files with 256 additions and 40 deletions
--- a/install/share/bind.zone.db.template
+++ b/install/share/bind.zone.db.template
@@ -24,3 +24,6 @@ _kerberos-master._udp	IN SRV 0 100 88		$HOST
 _kpasswd._tcp		IN SRV 0 100 464	$HOST
 _kpasswd._udp		IN SRV 0 100 464	$HOST
 $OPTIONAL_NTP
 ; CNAME for IPA CA replicas (used for CRL, OCSP)
 $IPA_CA_CNAME		IN CNAME		$HOST
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -31,17 +31,17 @@ from ipaserver.install import certs
 from ipaserver.install.installutils import HostnameLocalhost
 from ipaserver.install.installutils import ReplicaConfig, expand_replica_info, read_replica_info
 from ipaserver.install.installutils import get_host_name, BadHostError
-from ipaserver.install import dsinstance, cainstance
+from ipaserver.install import dsinstance, cainstance, bindinstance
 from ipaserver.install.replication import replica_conn_check
 from ipapython import version
 from ipalib import api, util
 from ipapython.dn import DN
 from ipapython.config import IPAOptionParser
 from ipapython import sysrestore
 from ipapython import dogtag
 from ipapython.ipa_log_manager import *
 log_file_name = "/var/log/ipareplica-ca-install.log"
 CACERT = "/etc/ipa/ca.crt"
 REPLICA_INFO_TOP_DIR = None
 def parse_options():
@@ -74,6 +74,22 @@ def parse_options():
 def get_dirman_password():
    return installutils.read_password("Directory Manager (existing master)", confirm=False, validate=False)
 def install_dns_records(config, options):
    if not bindinstance.dns_container_exists(config.master_host_name,
                                             ipautil.realm_to_suffix(config.realm_name),
                                             dm_password=config.dirman_password):
        return
    bind = bindinstance.BindInstance(dm_password=config.dirman_password)
    try:
        api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')),
                                  bind_pw=config.dirman_password)
        bind.add_ipa_ca_cname(config.host_name, config.domain_name)
    finally:
        if api.Backend.ldap2.isconnected():
             api.Backend.ldap2.disconnect()
 def main():
    safe_options, options, filename = parse_options()
@@ -176,6 +192,9 @@ def main():
        CA.enable_client_auth_to_db()
        CA.restart()
    # Install CA DNS records
    install_dns_records(config, options)
    # We need to restart apache as we drop a new config file in there
    ipaservices.knownservices.httpd.restart(capture_output=True)
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -247,7 +247,8 @@ def install_bind(config, options):
        print "Using reverse zone %s" % reverse_zone
    bind.setup(config.host_name, config.ip_address, config.realm_name,
-               config.domain_name, forwarders, options.conf_ntp, reverse_zone)
+               config.domain_name, forwarders, options.conf_ntp, reverse_zone,
               ca_configured=options.setup_ca)
    bind.create_instance()
    print ""
@@ -296,7 +297,8 @@ def install_dns_records(config, options):
        bind.add_master_dns_records(config.host_name, config.ip_address,
                                    config.realm_name, config.domain_name,
-                                    reverse_zone, options.conf_ntp)
+                                    reverse_zone, options.conf_ntp,
                                    options.setup_ca)
 def check_dirsrv():
    (ds_unsecure, ds_secure) = dsinstance.check_ports()
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -965,8 +965,8 @@ def main():
        ca = cainstance.CAInstance(realm_name, certs.NSS_DIR,
            dogtag_constants=dogtag.install_constants)
        if external == 0:
-            ca.configure_instance(host_name, dm_password, dm_password,
+            ca.configure_instance(host_name, domain_name, dm_password,
-                                  subject_base=options.subject)
+                                  dm_password, subject_base=options.subject)
        elif external == 1:
            # stage 1 of external CA installation
            options.realm_name = realm_name
@@ -979,12 +979,13 @@ def main():
            options.forwarders = dns_forwarders
            options.reverse_zone = reverse_zone
            write_cache(vars(options))
-            ca.configure_instance(host_name, dm_password, dm_password,
+            ca.configure_instance(host_name, domain_name, dm_password,
-                                  csr_file="/root/ipa.csr",
+                                  dm_password, csr_file="/root/ipa.csr",
                                  subject_base=options.subject)
        else:
            # stage 2 of external CA installation
-            ca.configure_instance(host_name, dm_password, dm_password,
+            ca.configure_instance(host_name, domain_name, dm_password,
                                  dm_password,
                                  cert_file=options.external_cert_file,
                                  cert_chain_file=options.external_ca_file,
                                  subject_base=options.subject)
@@ -1079,7 +1080,8 @@ def main():
               options.conf_ntp, reverse_zone, zonemgr=options.zonemgr,
               zone_refresh=options.zone_refresh,
               persistent_search=options.persistent_search,
-               serial_autoincrement=options.serial_autoincrement)
+               serial_autoincrement=options.serial_autoincrement,
               ca_configured=not options.selfsign)
    if options.setup_dns:
        api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')), bind_pw=dm_password)
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -30,6 +30,7 @@ try:
    from ipapython.ipa_log_manager import *
    from ipapython import certmonger
    from ipapython import dogtag
    from ipapython.dn import DN
    from ipaserver.install import installutils
    from ipaserver.install import dsinstance
    from ipaserver.install import httpinstance
@@ -47,6 +48,7 @@ try:
    import pwd
    import fileinput
    from ipalib import api
    import ipalib.util
    import ipalib.errors
 except ImportError:
    print >> sys.stderr, """\
@@ -307,7 +309,7 @@ def setup_firefox_extension(fstore):
    http.setup_firefox_extension(realm, domain)
-def upgrade_ipa_profile(ca):
+def upgrade_ipa_profile(ca, domain, fqdn):
    """
    Update the IPA Profile provided by dogtag
@@ -321,7 +323,8 @@ def upgrade_ipa_profile(ca):
        else:
            root_logger.debug('Subject Key Identifier already set.')
        audit = ca.set_audit_renewal()
-        if audit or ski:
+        uri = ca.set_crl_ocsp_extensions(domain, fqdn)
        if audit or ski or uri:
            return True
    else:
        root_logger.info('CA is not configured')
@@ -575,6 +578,32 @@ def migrate_crl_publish_dir(ca):
                     'request pki-ca restart')
    return True
 def add_server_cname_records():
    root_logger.info('[Add missing server CNAME records]')
    if not sysupgrade.get_upgrade_state('dns', 'ipa_ca_cname'):
        try:
            api.Backend.ldap2.connect(autobind=True)
        except ipalib.errors.PublicError, e:
            root_logger.error("Cannot connect to LDAP to add DNS records: %s", e)
        else:
            ret = api.Command['dns_is_enabled']()
            if not ret['result']:
                root_logger.info('DNS is not configured')
                sysupgrade.set_upgrade_state('dns', 'ipa_ca_cname', True)
                return
            bind = bindinstance.BindInstance()
            # DNS is enabled, so let bindinstance find out if CA is enabled
            # and let it add the CNAME in that case
            bind.add_ipa_ca_cname(api.env.host, api.env.domain, ca_configured=None)
            sysupgrade.set_upgrade_state('dns', 'ipa_ca_cname', True)
        finally:
            if api.Backend.ldap2.isconnected():
                 api.Backend.ldap2.disconnect()
    else:
        root_logger.info('IPA CA CNAME already processed')
 def main():
    """
    Get some basics about the system. If getting those basics fail then
@@ -602,7 +631,7 @@ def main():
    fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
-    api.bootstrap(context='restart')
+    api.bootstrap(context='restart', in_server=True)
    api.finalize()
    fqdn = find_hostname()
@@ -667,13 +696,14 @@ def main():
    cleanup_kdc(fstore)
    setup_firefox_extension(fstore)
    add_server_cname_records()
    changed_psearch = named_enable_psearch()
    changed_autoincrement = named_enable_serial_autoincrement()
    if changed_psearch or changed_autoincrement:
        # configuration has changed, restart the name server
        root_logger.info('Changes to named.conf have been made, restart named')
        bindinstance.BindInstance(fstore).restart()
-    ca_restart = ca_restart or enable_certificate_renewal(ca) or upgrade_ipa_profile(ca)
+    ca_restart = ca_restart or enable_certificate_renewal(ca) or upgrade_ipa_profile(ca, api.env.domain, fqdn)
    if ca_restart:
        root_logger.info('pki-ca configuration changed, restart pki-ca')
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -28,6 +28,7 @@ import ldap
 import service
 from ipaserver import ipaldap
 from ipaserver.install.dsinstance import realm_to_serverid
 from ipaserver.install.cainstance import IPA_CA_CNAME
 from ipaserver.install.installutils import resolve_host
 from ipapython import sysrestore
 from ipapython import ipautil
@@ -330,7 +331,7 @@ def del_rr(zone, name, type, rdata):
    delkw = { '%srecord' % str(type.lower()) : unicode(rdata) }
    try:
        api.Command.dnsrecord_del(unicode(zone), unicode(name), **delkw)
-    except (errors.NotFound, errors.EmptyModlist):
+    except (errors.NotFound, errors.AttrValueNotFound, errors.EmptyModlist):
        pass
 def get_rr(zone, name, type):
@@ -430,7 +431,8 @@ class BindInstance(service.Service):
    def setup(self, fqdn, ip_address, realm_name, domain_name, forwarders, ntp,
              reverse_zone, named_user="named", zonemgr=None,
-              zone_refresh=0, persistent_search=True, serial_autoincrement=True):
+              zone_refresh=0, persistent_search=True, serial_autoincrement=True,
              ca_configured=None):
        self.named_user = named_user
        self.fqdn = fqdn
        self.ip_address = ip_address
@@ -444,6 +446,7 @@ class BindInstance(service.Service):
        self.zone_refresh = zone_refresh
        self.persistent_search = persistent_search
        self.serial_autoincrement = serial_autoincrement
        self.ca_configured = ca_configured
        if not zonemgr:
            self.zonemgr = 'hostmaster.%s' % self.domain
@@ -497,6 +500,7 @@ class BindInstance(service.Service):
        if self.reverse_zone is not None:
            self.step("setting up reverse zone", self.__setup_reverse_zone)
        self.step("setting up our own record", self.__add_self)
        self.step("setting up CA CNAME record", self.__add_ipa_ca_cname)
        self.step("setting up kerberos principal", self.__setup_principal)
        self.step("setting up named.conf", self.__setup_named_conf)
@@ -556,6 +560,7 @@ class BindInstance(service.Service):
                             OPTIONAL_NTP=optional_ntp,
                             ZONEMGR=self.zonemgr,
                             ZONE_REFRESH=self.zone_refresh,
                             IPA_CA_CNAME=IPA_CA_CNAME,
                             PERSISTENT_SEARCH=boolean_var['persistent_search'],
                             SERIAL_AUTOINCREMENT=boolean_var['serial_autoincrement'],)
@@ -582,6 +587,28 @@ class BindInstance(service.Service):
    def __add_self_ns(self):
        add_ns_rr(self.domain, api.env.host, self.dns_backup, force=True)
    def __add_ipa_ca_cname(self):
        if self.ca_configured is False:
            root_logger.debug("CA is not configured, skip this step")
            return
        elif self.ca_configured is None:
            # we do not know if CA is configured for this host and we can
            # add the CA CNAME record. So we need to find out
            root_logger.debug("Check if CA is enabled for this host")
            base_dn = DN(('cn', api.env.host), ('cn', 'masters'), ('cn', 'ipa'),
                         ('cn', 'etc'), api.env.basedn)
            ldap_filter = '(&(objectClass=ipaConfigObject)(cn=CA))'
            try:
                api.Backend.ldap2.find_entries(filter=ldap_filter, base_dn=base_dn)
            except ipalib.errors.NotFound:
                # CA is not configured
                root_logger.debug("CA is not configured")
                return
            else:
                root_logger.debug("CA is configured for this host, continue")
        add_rr(self.domain, IPA_CA_CNAME, "CNAME", self.host_in_rr)
    def __add_self(self):
        zone = self.domain
        resource_records = (
@@ -681,7 +708,7 @@ class BindInstance(service.Service):
        resolv_fd.close()
    def add_master_dns_records(self, fqdn, ip_address, realm_name, domain_name,
-                               reverse_zone, ntp=False):
+                               reverse_zone, ntp=False, ca_configured=None):
        self.fqdn = fqdn
        self.ip_address = ip_address
        self.realm = realm_name
@@ -690,23 +717,36 @@ class BindInstance(service.Service):
        self.suffix = ipautil.realm_to_suffix(self.realm)
        self.ntp = ntp
        self.reverse_zone = reverse_zone
        self.ca_configured = ca_configured
        self.__add_self()
        self.__add_ipa_ca_cname()
    def add_ipa_ca_cname(self, fqdn, domain_name, ca_configured=True):
        self.host = fqdn.split(".")[0]
        self.fqdn = fqdn
        self.domain = domain_name
        self.ca_configured = ca_configured
        self.__add_ipa_ca_cname()
    def remove_master_dns_records(self, fqdn, realm_name, domain_name):
        host = fqdn.split(".")[0]
        self.host = host
        self.fqdn = fqdn
        self.domain = domain_name
        suffix = ipautil.realm_to_suffix(realm_name)
        zone = domain_name
        resource_records = (
-            ("_ldap._tcp", "SRV", "0 100 389 %s" % host),
+            ("_ldap._tcp", "SRV", "0 100 389 %s" % self.host_in_rr),
-            ("_kerberos._tcp", "SRV", "0 100 88 %s" % host),
+            ("_kerberos._tcp", "SRV", "0 100 88 %s" % self.host_in_rr),
-            ("_kerberos._udp", "SRV", "0 100 88 %s" % host),
+            ("_kerberos._udp", "SRV", "0 100 88 %s" % self.host_in_rr),
-            ("_kerberos-master._tcp", "SRV", "0 100 88 %s" % host),
+            ("_kerberos-master._tcp", "SRV", "0 100 88 %s" % self.host_in_rr),
-            ("_kerberos-master._udp", "SRV", "0 100 88 %s" % host),
+            ("_kerberos-master._udp", "SRV", "0 100 88 %s" % self.host_in_rr),
-            ("_kpasswd._tcp", "SRV", "0 100 464 %s" % host),
+            ("_kpasswd._tcp", "SRV", "0 100 464 %s" % self.host_in_rr),
-            ("_kpasswd._udp", "SRV", "0 100 464 %s" % host),
+            ("_kpasswd._udp", "SRV", "0 100 464 %s" % self.host_in_rr),
-            ("_ntp._udp", "SRV", "0 100 123 %s" % host),
+            ("_ntp._udp", "SRV", "0 100 123 %s" % self.host_in_rr),
            (IPA_CA_CNAME, "CNAME", self.host_in_rr),
            ("@", "NS", fqdn+"."),
        )
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -66,6 +66,9 @@ DEFAULT_DSPORT = dogtag.install_constants.DS_PORT
 PKI_USER = "pkiuser"
 PKI_DS_USER = dogtag.install_constants.DS_USER
 # When IPA is installed with DNS support, this CNAME should hold all IPA
 # replicas with CA configured
 IPA_CA_CNAME = "ipa-ca"
 # We need to reset the template because the CA uses the regular boot
 # information
@@ -497,6 +500,7 @@ class CAInstance(service.Service):
        self.dm_password = None
        self.admin_password = None
        self.fqdn = None
        self.domain = None
        self.pkcs12_info = None
        self.clone = False
@@ -516,7 +520,7 @@ class CAInstance(service.Service):
        self.ra_agent_db = ra_db
        self.ra_agent_pwd = self.ra_agent_db + "/pwdfile.txt"
        self.ds_port = DEFAULT_DSPORT
-        self.domain_name = "IPA"
+        self.security_domain_name = "IPA"
        self.server_root = dogtag_constants.SERVER_ROOT
        self.ra_cert = None
        self.requestId = None
@@ -534,7 +538,7 @@ class CAInstance(service.Service):
        return os.path.exists(os.path.join(
            self.server_root, self.dogtag_constants.PKI_INSTANCE_NAME))
-    def configure_instance(self, host_name, dm_password,
+    def configure_instance(self, host_name, domain, dm_password,
                           admin_password, ds_port=DEFAULT_DSPORT,
                           pkcs12_info=None, master_host=None, csr_file=None,
                           cert_file=None, cert_chain_file=None,
@@ -552,6 +556,7 @@ class CAInstance(service.Service):
           csr_file. For step 2 set cert_file and cert_chain_file.
        """
        self.fqdn = host_name
        self.domain = domain
        self.dm_password = dm_password
        self.admin_password = admin_password
        self.ds_port = ds_port
@@ -596,6 +601,7 @@ class CAInstance(service.Service):
            self.step("set up CRL publishing", self.__enable_crl_publish)
            self.step("set certificate subject base", self.__set_subject_in_config)
            self.step("enabling Subject Key Identifier", self.enable_subject_key_identifier)
            self.step("enabling CRL and OCSP extensions for certificates", self.__set_crl_ocsp_extensions)
            self.step("setting audit signing renewal to 2 years", self.set_audit_renewal)
            self.step("configuring certificate server to start on boot", self.__enable)
            if not self.clone:
@@ -633,7 +639,7 @@ class CAInstance(service.Service):
            "pki_client_database_password": self.admin_password,
            "pki_client_database_purge": "False",
            "pki_client_pkcs12_password": self.admin_password,
-            "pki_security_domain_name": self.domain_name,
+            "pki_security_domain_name": self.security_domain_name,
            "pki_admin_name":  "admin",
            "pki_admin_uid":  "admin",
            "pki_admin_email":  "root@localhost",
@@ -800,7 +806,7 @@ class CAInstance(service.Service):
                    "-client_certdb_dir", self.ca_agent_db,
                    "-client_certdb_pwd", self.admin_password,
                    "-preop_pin" , preop_pin,
-                    "-domain_name", self.domain_name,
+                    "-domain_name", self.security_domain_name,
                    "-admin_user", "admin",
                    "-admin_email",  "root@localhost",
                    "-admin_password", self.admin_password,
@@ -1239,6 +1245,124 @@ class CAInstance(service.Service):
        return publishdir
    def __set_crl_ocsp_extensions(self):
        self.set_crl_ocsp_extensions(self.domain, self.fqdn)
    def set_crl_ocsp_extensions(self, domain, fqdn):
        """
        Configure CRL and OCSP extensions in default IPA certificate profile
        if not done already.
        """
        changed = False
        # OCSP extension
        ocsp_location_0 = installutils.get_directive(
            self.dogtag_constants.IPA_SERVICE_PROFILE,
            'policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0',
            separator='=')
        if not ocsp_location_0:
            # Set the first OCSP URI
            installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
                'policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0',
                'https://%s.%s/ca/ocsp' % (IPA_CA_CNAME, ipautil.format_netloc(domain)),
                quotes=False, separator='=')
            changed = True
        ocsp_profile_count = installutils.get_directive(
            self.dogtag_constants.IPA_SERVICE_PROFILE,
            'policyset.serverCertSet.5.default.params.authInfoAccessNumADs',
            separator='=')
        if ocsp_profile_count == '1':
            # add the second OCSP URI
            installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
                'policyset.serverCertSet.5.default.params.authInfoAccessADEnable_1',
                'true', quotes=False, separator='=')
            installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
                'policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_1',
                'URIName', quotes=False, separator='=')
            installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
                'policyset.serverCertSet.5.default.params.authInfoAccessADLocation_1',
                'http://%s/ca/ocsp' % ipautil.format_netloc(fqdn),
                quotes=False, separator='=')
            installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
                'policyset.serverCertSet.5.default.params.authInfoAccessADMethod_1',
                '1.3.6.1.5.5.7.48.1', quotes=False, separator='=')
            installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
                'policyset.serverCertSet.5.default.params.authInfoAccessNumADs',
                '2', quotes=False, separator='=')
            changed = True
        # CRL extension
        crl_issuer_0 = installutils.get_directive(
            self.dogtag_constants.IPA_SERVICE_PROFILE,
            'policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0',
            separator='=')
        if not crl_issuer_0:
            installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
                'policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0',
                'CN=Certificate Authority,o=ipaca', quotes=False, separator='=')
            installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
                'policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0',
                'DirectoryName', quotes=False, separator='=')
            installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
                'policyset.serverCertSet.9.default.params.crlDistPointsPointName_0',
                'https://%s.%s/ipa/crl/MasterCRL.bin'% (IPA_CA_CNAME, ipautil.format_netloc(domain)),
                quotes=False, separator='=')
            changed = True
        crl_profile_count = installutils.get_directive(
            self.dogtag_constants.IPA_SERVICE_PROFILE,
            'policyset.serverCertSet.9.default.params.crlDistPointsNum',
            separator='=')
        if crl_profile_count == '1':
            installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
                'policyset.serverCertSet.9.default.params.crlDistPointsEnable_1',
                'true', quotes=False, separator='=')
            installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
                'policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_1',
                'CN=Certificate Authority,o=ipaca', quotes=False, separator='=')
            installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
                'policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_1',
                'DirectoryName', quotes=False, separator='=')
            installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
                'policyset.serverCertSet.9.default.params.crlDistPointsPointName_1',
                'https://%s/ipa/crl/MasterCRL.bin' % ipautil.format_netloc(fqdn),
                quotes=False, separator='=')
            installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
                'policyset.serverCertSet.9.default.params.crlDistPointsPointType_1',
                'URIName', quotes=False, separator='=')
            installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
                'policyset.serverCertSet.9.default.params.crlDistPointsReasons_1',
                '', quotes=False, separator='=')
            installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
                'policyset.serverCertSet.9.default.params.crlDistPointsNum',
                '2', quotes=False, separator='=')
            changed = True
        # CRL extension is not enabled by default
        setlist = installutils.get_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
            'policyset.serverCertSet.list', separator='=')
        new_set_list = None
        if setlist == '1,2,3,4,5,6,7,8':
            new_set_list = '1,2,3,4,5,6,7,8,9'
        elif setlist == '1,2,3,4,5,6,7,8,10':
            new_set_list = '1,2,3,4,5,6,7,8,9,10'
        if new_set_list:
            installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
                'policyset.serverCertSet.list',
                new_set_list, quotes=False, separator='=')
            changed = True
        return changed
    def __enable_crl_publish(self):
        """
        Enable file-based CRL publishing and disable LDAP publishing.
@@ -1279,12 +1403,6 @@ class CAInstance(service.Service):
        installutils.set_directive(caconfig, 'ca.publish.rule.instance.LdapUserCertRule.enable', 'false', quotes=False, separator='=')
        installutils.set_directive(caconfig, 'ca.publish.rule.instance.LdapXCertRule.enable', 'false', quotes=False, separator='=')
        # Fix the CRL URI in the profile
        installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
            'policyset.serverCertSet.9.default.params.crlDistPointsPointName_0',
            'https://%s/ipa/crl/MasterCRL.bin' % ipautil.format_netloc(self.fqdn),
            quotes=False, separator='=')
        # If we are the initial master then we are the CRL generator, otherwise
        # we point to that master for CRLs.
        if not self.clone:
@@ -1484,11 +1602,12 @@ class CAInstance(service.Service):
        # this is the default setting from pki-ca/pki-tomcat. Don't touch it
        # if a user has manually modified it.
-        if setlist == '1,2,3,4,5,6,7,8':
+        if setlist == '1,2,3,4,5,6,7,8' or setlist == '1,2,3,4,5,6,7,8,9':
            setlist = setlist + ',10'
            installutils.set_directive(
                self.dogtag_constants.IPA_SERVICE_PROFILE,
                'policyset.serverCertSet.list',
-                '1,2,3,4,5,6,7,8,10',
+                setlist,
                quotes=False, separator='=')
            installutils.set_directive(
                self.dogtag_constants.IPA_SERVICE_PROFILE,
@@ -1676,8 +1795,9 @@ def install_replica_ca(config, master_ds_port, postinstall=False):
        # If installing this afterward the Apache NSS database already
        # exists, don't remove it.
        ca.create_ra_agent_db = False
-    ca.configure_instance(config.host_name, config.dirman_password,
+    ca.configure_instance(config.host_name, config.domain_name,
-                          config.dirman_password, pkcs12_info=(cafile,),
+                          config.dirman_password, config.dirman_password,
                          pkcs12_info=(cafile,),
                          master_host=config.master_host_name,
                          master_replication_port=master_ds_port,
                          subject_base=config.subject_base)
@@ -1740,4 +1860,4 @@ if __name__ == "__main__":
        ds = dsinstance.DsInstance()
    ca = CAInstance("EXAMPLE.COM", "/etc/httpd/alias")
-    ca.configure_instance("catest.example.com", "password", "password")
+    ca.configure_instance("catest.example.com", "example.com", "password", "password")